← Advisories

actiTIME 2015.2 Multiple Vulnerabilities

Medium
Advisory ID
ZSL-2015-5273
Release Date
31 October 2015
Vendor
Actimind, Inc. - http://www.actitime.com
Affected Version
2015.2 (Small Team Edition)
CVE
N/A
Tested On
OS/Platform: Windows 7 6.1 for x86, Servlet Container: Jetty/5.1.4, Servlet API Version: 2.4, Java: 1.7.0_76-b13, Database: MySQL 5.1.72-community-log, Driver: MySQL-AB JDBC Driver mysql-connector-java-5.1.13, Patch level: 28.0
Summary

actiTIME is a web timesheet software. It allows you to enter time spent on different work assignments, register time offs and sick leaves, and then create detailed reports covering almost any management or accounting needs.

Description

The application suffers from multiple security vulnerabilities including: Open Redirection, HTTP Response Splitting and Unquoted Service Path Elevation Of Privilege.

Proof of Concept
actitime_mv.txtTXT
Disclosure Timeline
13.10.2015Vulnerabilities discovered.
19.10.2015Vendor contacted.
30.10.2015No response from the vendor.
31.10.2015Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/38602/
[2]https://cxsecurity.com/issue/WLB-2015110005
[3]https://packetstormsecurity.com/files/134179
[4]http://www.securityfocus.com/bid/77403
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/107765
[6]https://exchange.xforce.ibmcloud.com/vulnerabilities/107766
[7]https://exchange.xforce.ibmcloud.com/vulnerabilities/107767
Changelog
31.10.2015Initial release
03.11.2015Added reference [1], [2] and [3]
08.11.2015Added reference [4]
14.11.2015Added reference [5], [6] and [7]